STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM RACF users must have the required default fields.

DISA Rule

SV-223717r604139_rule

Vulnerability Number

V-223717

Group Title

SRG-OS-000104-GPOS-00051

Rule Version

RACF-ES-000700

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Review all USERID definitions to ensure required information is provided. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes listed in this PDI. The following are sample commands to correct this vulnerability.

-To Add a NAME to a userid with the command ALU <userid> NAME('lastname, firstname').
-Every user will be assigned a default group by default. A sample command to reassign a default group is shown here: ALU <userid> DFLTGRP(<newdefaultgroup>). You must first be connected to a group via the RACF CONNECT command before making it a default group.
-A PASSDATE field or a PHRASEDATE field showing 00.000 indicates that a temporary password or password phrase has been assigned but the user has not logged in and set a permanent value. This could indicate that a new userid was recently added or that a userid previously added is unused and should be considered for deletion. The ISSO should investigate and determine if the userid should be deleted or that the new user should be contacted and told to login to set a permanent value.

Check Contents

From a z/OS command screen enter:
ListUser *

Examine each user entry verify every user is fully identified with all of the following conditions:
-A completed NAME field that can either be traced back to a current DD2875 or a Vendor Requirement (example: A Started Task).
-The presence of the DEFAULT-GROUP and OWNER fields.
-The PASSDATE field or the PHRASEDATE field accordingly is not set to N/A excluding users with the PROTECTED attribute.

If all of the above are true, this is not a finding.

If any of above is untrue, this is a finding.

Vulnerability Number

V-223717

Documentable

False

Rule Version

RACF-ES-000700

Severity Override Guidance

From a z/OS command screen enter:
ListUser *

Examine each user entry verify every user is fully identified with all of the following conditions:
-A completed NAME field that can either be traced back to a current DD2875 or a Vendor Requirement (example: A Started Task).
-The presence of the DEFAULT-GROUP and OWNER fields.
-The PASSDATE field or the PHRASEDATE field accordingly is not set to N/A excluding users with the PROTECTED attribute.

If all of the above are true, this is not a finding.

If any of above is untrue, this is a finding.

Check Content Reference

M

Target Key

4101

Comments